OlympicAIDS
:Not to be confused with AIDS or AIDS II. Virus.DOS.VCL.Olympic.1440, or commonly called OlympicAIDS, is a virus that runs on MS-DOS. It is written by The Penetrator. Behavior The method used by this virus to search for the next file to be infected is not very efficient, though. Once the virus has infected a large number of the files on the hard disk, it might take half a minute for the virus to find a new victim file, thus to slow down the machine. This observation is likely to let the user to know that there is a virus in the machine. When the virus finds a file to infect, it first checks its size to make sure the added virus code will not grow the file over the size limit of DOS executable files, 64KB. Then it inspects the first bytes of the candidate file to see if it already contains a similar jump construct that the virus is about to insert to the beginning of file. If such structure is found, the virus considers the file to be already infected and starts to search for another victim. The virus does not check for the 'MZ' or 'ZM' markers to distinguish EXE files. This means that the virus will corrupt EXE files that have been renamed to have a ".COM" extension. When such a corrupted file is executed after infection, the virus will be able to spread further, but is unable to transfer control back to the original program. In most cases the machine will just crash. The actual infection process consists of storing the original first three bytes of the file to the end of the file and replacing them with a jump to a decryption routine, which the virus also appends to the end of the file. An encrypted version of the virus code is also stored to the end of the file, before the decryption routine. The virus uses a single pseudo-random variable key based on the infection time to encrypt it's code. OlympicAIDS is able to infect files which have the DOS read-only attribute turned on. It will also restore the date and time stamps of the infected files. However, infected files grow in size by 1440 bytes, and this is visible in the directory listing. The virus has no directory-stealth routines, since it does not stay resident. Payload The virus activates by random after the 12th of February, that the 1994 Winter Olympics started on this date. At the time of activation, the virus draws the Olympic circles to the screen and displays some comments the Games. After this, it overwrites the first 256 sectors of the first hard disk in system. The virus also disables Ctrl-C and Ctrl-Break during the destruction routine. Finally, the machine is hanged. When an infected file is executed, the virus first decrypts its code. Then it starts to recursively search for suitable victim files, starting from the root directory of the current drive. Other details A lot of the code resembles the viruses generated by the VCL virus generator, up to the point of the standard VCL-like note; a short message in the end of the virus, which is not displayed at all. In this virus, the note text reads: "Olympic Aid(s) '94 © The Penetrate". This virus is probably based on VCL-created code, and has just been modified to avoid detection by some of the most popular scanners. Media it:OlympicAIDS Category:DOS virus Category:Virus Category:DOS